Vulnerability Report: GO-2025-3373
standard library- CVE-2024-45341
- Affects: crypto/x509
- Published: Jan 28, 2025
- Modified: Jan 30, 2025
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.22.11, from go1.23.0-0 before go1.23.5, from go1.24.0-0 before go1.24.0-rc.2
33 affected symbols
- CertPool.AppendCertsFromPEM
- Certificate.CheckCRLSignature
- Certificate.CheckSignature
- Certificate.CheckSignatureFrom
- Certificate.CreateCRL
- Certificate.Verify
- Certificate.VerifyHostname
- CertificateRequest.CheckSignature
- CreateCertificate
- CreateCertificateRequest
- CreateRevocationList
- DecryptPEMBlock
- EncryptPEMBlock
- HostnameError.Error
- MarshalECPrivateKey
- MarshalPKCS1PrivateKey
- MarshalPKCS1PublicKey
- MarshalPKCS8PrivateKey
- MarshalPKIXPublicKey
- ParseCRL
- ParseCertificate
- ParseCertificateRequest
- ParseCertificates
- ParseDERCRL
- ParseECPrivateKey
- ParsePKCS1PrivateKey
- ParsePKCS1PublicKey
- ParsePKCS8PrivateKey
- ParsePKIXPublicKey
- ParseRevocationList
- RevocationList.CheckSignatureFrom
- SetFallbackRoots
- SystemCertPool
Aliases
References
- https://go.dev/cl/643099
- https://go.dev/issue/71156
- https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
- https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
- https://vuln.go.dev/ID/GO-2025-3373.json
Credits
- Juho Forsén of Mattermost
Feedback
See anything missing or incorrect?
Suggest an edit to this report.